Few sectors have found themselves immune to cyberattacks over the past decade. Some, like the healthcare industry, have unfortunately become a perennial target.

To try and stop the next attack, the U.S. Department of Health and Human Services’ Office for Civil Rights reminded facilities this week to review their risk management policies sooner than later to prevent hacks and improve their overall cybersecurity posture.

Lisa Pino, who took over as the OCR’s Director last September, urged organizations to ensure they have the correct solutions in place to protect themselves during a presentation on Tuesday. The presentation, which covered the agency's policy and rule-making priorities, was given virtually at the 31st National HIPAA Summit.

As part of her session, Pino emphasized how critical it is to know where sensitive healthcare data, like electronic protected health information (ePHI) resides in a system, stressing that organizations need to look beyond just the electronic health record.

“I cannot underscore enough the importance of enterprise-wide risk analysis,” Pino said, “Risk management strategies need to be comprehensive in scope. You should fully understand where all electronic protected health information (ePHI) exists across your organization – from software, to connected devices, legacy systems, and elsewhere across your network.”

Pino acknowledged some of the difficulties some providers faced head on over the past year, including hospitals that were forced to cancel surgeries, chemotherapy, and other exams because systems were disabled because of malware or ransomware.

Pino could have been referring to any of the numerous attacks last year. A San Diego-based family of hospitals had multiple class action lawsuits filed against it last year after its systems were taken offline for weeks in May. The attack had lingering repercussions; personal information, including names, drivers’ licenses and Social Security numbers and patient care records of nearly 150,000 of its patients was compromised following the attack.

To prevent an attack like ransomware from wreaking havoc on their systems, Pino encouraged organizations to follow best practices, including:   

• Maintaining offline, encrypted backups of data and regularly test your backups;
• Conducting regular scans to identify and address vulnerabilities, especially those on internet-facing devices, to limit the attack surface;
• Regular patches and updates of software and Operating Systems; and
• Training your employees regarding phishing and other common IT attacks.

Pino also used the session as an opportunity to point attendees to two reports the agency recently submitted to Congress, including its 2020 report on HIPAA Privacy, Security, and Breach Notification Compliance and its 2020 report on Breaches of Unsecured Protected Health Information.

HHS is required to complete both reports, summarizing the agency's enforcement activities from that year, and send them to Congress under the Health Information Technology for Economic and Clinical Health (HITECH) Act. While the reports cover incidents and settlements from two years ago, both should act as guiding stars for Covered Entities looking for guidance when it comes to complying with HIPAA.